logstash-input-github 3.0.10 → 3.0.11

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 04e8fc3627d5e297908f616eb519b01572b9fc0888833c1a48643d4f3db6fb2b
-  data.tar.gz: d0bc1e82f00ef4c6bddf2c493196182ad6c868114f170b7a10f8243fc1589421
+  metadata.gz: 5a2e9406f2b0551cab7547fc1388d5736488c5c890be09ed467755ddf0ca44f7
+  data.tar.gz: b4c9e430f3990747bd97ed2102936c1b842a8cad1d68e9482930adf32faf211c
 SHA512:
-  metadata.gz: '07769130dfe2c98f413db3dace51e85fa8d3f6898012d7f0001b9ef7a98e9fa1b576216b064b28652d475af1f4462adeac55024e7bc604314c615db0120083b4'
-  data.tar.gz: 0c613a3f8d1a467a02bdefaa0b4984a754c40a41210edd2fffc54757ae31ab2c18854d8a72da1fa095f3542a8435ca1812cf0d2bdfb0c84b2dc2e7001447a308
+  metadata.gz: dbeb962c978bc18ba2ab5154d098d3ee9e1616abeb0acd4773b7806543a35aaed89a12025d6d4d27d6bfa222fcc6be2fa7c5c186c6a1091d8fa1aca06a2a0d08
+  data.tar.gz: b79af6da525e68f796c30cce532bce4ec0598d20d84f24f9b45a8374a7baf409db443a3c1f321d9d3c1c6ea20b1fb957d592cf8c59abbe51b1b58a1e88e6adae

data/CHANGELOG.md

@@ -1,6 +1,9 @@
+## 3.0.11
+  - Change `secret_token` config type to `password` for better protection from leaks in debug logs [#23](https://github.com/logstash-plugins/logstash-input-github/pull/23)
+
 ## 3.0.10
   - Changed the transitive dependency `http_parser.rb` (ftw) version to `~-> 0.6.0` as newer versions are published without the java support.
-  - Fixed crashing when the request body payload is not a JSON object.  [#24](https://github.com/logstash-plugins/logstash-input-github/pull/24) 
+  - Fixed crashing when the request body payload is not a JSON object.  [#24](https://github.com/logstash-plugins/logstash-input-github/pull/24)  
 
 ## 3.0.9
   - Bump ftw dependency to 0.0.49, for compatibility with Logstash 7.x

data/docs/index.asciidoc

@@ -34,7 +34,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-drop_invalid>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-ip>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-port>> |<<number,number>>|Yes
-| <<plugins-{type}s-{plugin}-secret_token>> |<<string,string>>|No
+| <<plugins-{type}s-{plugin}-secret_token>> |<<password,password>>|No
 |=======================================================================
 
 Also see <<plugins-{type}s-{plugin}-common-options>> for a list of options supported by all
@@ -71,7 +71,7 @@ The port to listen on
 [id="plugins-{type}s-{plugin}-secret_token"]
 ===== `secret_token` 
 
-  * Value type is <<string,string>>
+  * Value type is <<password,password>>
   * There is no default value for this setting.
 
 Your GitHub Secret Token for the webhook

data/lib/logstash/inputs/github.rb

@@ -16,7 +16,7 @@ class LogStash::Inputs::GitHub < LogStash::Inputs::Base
   config :port, :validate => :number, :required => true
 
   # Your GitHub Secret Token for the webhook
-  config :secret_token, :validate => :string, :required => false
+  config :secret_token, :validate => :password, :required => false
 
   # If Secret is defined, we drop the events that don't match.
   # Otherwise, we'll just add an invalid tag
@@ -77,7 +77,7 @@ class LogStash::Inputs::GitHub < LogStash::Inputs::Base
 
     sign_header = event.get("[headers][x-hub-signature]")
     if sign_header
-      hash = 'sha1=' + OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha1'), @secret_token, body)
+      hash = 'sha1=' + OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha1'), @secret_token.value, body)
       event.set("hash", hash)
       return true if Rack::Utils.secure_compare(hash, sign_header)
     end

data/logstash-input-github.gemspec

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-input-github'
-  s.version         = '3.0.10'
+  s.version         = '3.0.11'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Reads events from a GitHub webhook"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"

data/spec/inputs/github_spec.rb

@@ -27,7 +27,7 @@ describe  LogStash::Inputs::GitHub do
   end
 
   describe "verify webhook signature if token provided" do
-    let(:plugin) { LogStash::Plugin.lookup("input", "github").new( {"port" => 9999, "secret_token" => "my_secret"} ) }
+    let(:plugin) { LogStash::Plugin.lookup("input", "github").new( {"port" => 9999, "secret_token" => ::LogStash::Util::Password.new("my_secret")} ) }
     let(:body) {IO.read("spec/fixtures/event_create.json")}
     let(:headers) { {"x-hub-signature" => "hash"} }
     let(:event) {plugin.build_event_from_request(body,headers)}
@@ -153,4 +153,15 @@ describe  LogStash::Inputs::GitHub do
       end
     end
   end
+
+  describe "debugging `secret_token`" do
+    let(:plugin) { LogStash::Plugin.lookup("input", "github").new( {"port" => 9999, "secret_token" => ::LogStash::Util::Password.new("my_secret")} ) }
+
+    it "should not show origin value" do
+      expect(plugin.logger).to receive(:debug).with('<password>')
+
+      plugin.register
+      plugin.logger.send(:debug, plugin.secret_token.to_s)
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-github
 version: !ruby/object:Gem::Version
-  version: 3.0.10
+  version: 3.0.11
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-12-22 00:00:00.000000000 Z
+date: 2023-05-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -141,7 +141,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.2.33
 signing_key:
 specification_version: 4
 summary: Reads events from a GitHub webhook